Nick Statt* says a hacker discovered that a maker of popular quiz apps on Facebook was exposing the personal data of 120 million users.
A developer of Facebook quizzes under the brand NameTests has been found to have exposed the personal information of as many as 120 million Facebook users, according to a report from TechCrunch.
The company behind NameTests, German app maker Social Sweethearts, created popular social quizzes like “Which Disney Princess Are You?” and distributed them on Facebook, and it has around 120 million monthly users on the platform.
Self-described hacker Inti De Ceukelaire wrote a Medium post last week, outlining how the quizzes were collecting Facebook information like names, birthdays, photos, and friend lists and displaying them in a JavaScript file, one that could be obtained easily by malicious third parties.
Apparently, Ceukelaire attempted to contact Facebook about this multiple times and was told the company would look into it.
And in the wake of the Cambridge Analytica data privacy scandal — in which tens of millions of users had their personal information collected, packaged, and sold to a third-party company — Facebook’s handling of data leaks and security breaches is under especially heavy scrutiny.
Only months later, in June, did Ceukelaire notice that NameTests had changed the way it processed user data to close the leak.
In a statement given to TechCrunch, Social Sweethearts said there was no evidence personal data was exposed to third parties or that the data was ever misused.
“As the data protection officer of Social Sweethearts, I would like to inform you that the matter has been carefully investigated,” the statement reads, though it is not attributed to a named individual.
“The investigation found that there was no evidence that personal data of users was disclosed to unauthorised third parties and all the more that there was no evidence that it had been misused.”
“Nevertheless, data security is taken very seriously at Social Sweethearts and measures are currently being taken to avoid risks in the future.”
Facebook says it handled the issue through its Data Abuse Bounty Program.
“A researcher brought the issue with the nametests.com website to our attention through our Data Abuse Bounty Program that we launched in April to encourage reports involving Facebook data.”
“We worked with nametests.com to resolve the vulnerability on their website, which was completed in June,” said Ime Archibong, a vice president of product partnerships at Facebook, in a statement given to TechCrunch.
Regardless, as one of likely many companies that had less-than-stellar security while operating on Facebook’s platform, Social Sweethearts and its NameTests quizzes may just be the first in a string of under-the-radar cases that third-party auditors and security experts bring to Facebook’s attention.
Facebook said back in March, during the height of the Cambridge Analytica scandal, that it would be auditing apps on its platform to weed out data abuse, and in May, Facebook said it had suspended more than 200 such apps in that investigation.
It doesn’t appear that NameTests would be flagged as a malicious case of user data abuse, as it appears to have been an accidental leak.
Nonetheless, these types of situations don’t bode well for the overall security of Facebook’s platform, especially as users are now more wary of using any and all third-party apps on the social network.
* Nick Statt is a reporter for The Verge in San Francisco. He tweets at @nickstat and his website is nstatt.com.
This article first appeared at www.theverge.com.